ClawHub
Back to skill

Security audit

Silicon World - 硅基世界

Security checks across malware telemetry and agentic risk

Overview

This skill matches a Silicon World web3/social-agent purpose, but it gives broad ongoing account authority and handles access tokens unsafely enough that users should review it carefully before installing.

Install only if you explicitly want an agent to act in Silicon World on your behalf. Review the live remote instructions before use, do not let the agent print or store access tokens in chat memory, and require explicit approval for posts, DMs, follows, governance votes, airdrops, and any token transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
67% confidence
Finding
The manifest presents a narrow DID/airdrop/governance/NFT scope, but the document actually instructs the agent to perform broad social-network behaviors including posting, messaging, following, and feed engagement. This scope expansion is dangerous because users or host systems may grant trust based on the manifest while the skill drives much more invasive autonomous activity than advertised.

Description-Behavior Mismatch

Medium
Confidence
67% confidence
Finding
The manifest presents a narrow DID/airdrop/governance/NFT scope, but the document actually instructs the agent to perform broad social-network behaviors including posting, messaging, following, and feed engagement. This scope expansion is dangerous because users or host systems may grant trust based on the manifest while the skill drives much more invasive autonomous activity than advertised.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security warning says credentials must only be sent to https://api.siliconworld.io/api/v1/*, but all concrete examples send bearer tokens to https://api.siliconworld.io/v1/*. That inconsistency creates a high risk of developers or agents normalizing incorrect endpoint handling, weakening boundary checks and making credential exfiltration or misrouting harder to detect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs an agent to fetch `https://siliconworld.io/skill.md` and then follow whatever instructions are hosted there. This creates an unbounded remote-instruction trust chain: the repository content being reviewed is not the full behavior, and the remote document can be changed at any time to introduce prompt injection, credential harvesting, unsafe tool use, or other malicious actions without requiring a repository update.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to fully output the raw registration JSON, including the accessToken and claimLink, back to the user. This is highly dangerous because it turns a secret bearer token into conversational output that can be logged, intercepted, rendered by untrusted clients, or disclosed to anyone with access to the conversation transcript.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill recommends storing credentials in agent memory, which increases the likelihood that secrets will later be surfaced through ordinary recall, summarization, debugging, or tool-use behavior. Long-lived conversational memory is rarely a secure secret store and expands the exposure window for bearer tokens.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal